Security

How can I restrict a user to only search a specific set of peers in our Splunk Enterprise environment?

vsingla1
Communicator

Can I restrict a user to search on a specific set of peers? e.g there are 3 search peers in our splunk enterprise environment, so how can I restrict a user to search by default on only 2 peers and exclude the third one? I know this sort of restriction can be done on an index (internal vs non-internal).

Thanks,
Vineet

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunk_server=sp1 OR splunk_server=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.

You can also set srchFilter on the authorize.conf file where the roles are defined.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post

alacercogitatus
SplunkTrust
SplunkTrust

Yes! You can. So let's make a role, call it TwoPeer. TwoPeer is created in the web interface and has a special setting called "Search Filter". In this box, place the search that will be appended to all searches that are assigned this role. So "splunk_server=sp1 OR splunk_server=sp2" would restrict to those two indexers. Search Filter of "NOT splunk_server=sp3" would give you almost the same result, but would allow the user to search "sp4" if one ever came on line.

You can also set srchFilter on the authorize.conf file where the roles are defined.

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Authorizeconf

View solution in original post

Lucas_K
Motivator

It should be noted that there is a bug (well I think its a bug) with using search filters and roles.

It has a weird behavior unlike any other setting in splunk.

If you use any sort of imported role which has search filter, it will NOT be applied IF your current role doesn't explicitly state a search filter option, If you DO include it then it will stack the filters together and not apply the highest level precedence stanza (ie. the normal operation for every single other stanza in splunk).

ie. a broken configuration :

role_user 
 srchFilter = splunk_server=server_1

role_custom_user 
import_role = user

I found this issue when trying to apply a filter to roles all of which inherited admin/power or user roles.
You have to explicitly give every role a filter unfortunately which makes inheritence useless. I had to manually add the filter for 300+ roles 😞

0 Karma

vsingla1
Communicator

Done!!!!!!

0 Karma

vsingla1
Communicator

I got it. thats very much doable. thanks for the reply.

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

please mark the answer as accepted if it has successfully answered your question. Thanks!

0 Karma

vsingla1
Communicator

I read it in the Splunk Search manual for 6.1.4. Below is the exact line copied from the manual:
"The default peers that you can access are controlled by the roles and permissions associated with your profile and set by your Splunk admin. For more information, see "About users and roles" in Securing Splunk".

I know it can be specified in the search like splunk_server=. But the manual says it can be controlled via roles and permissions also. That lead to my curosity.

Thanks,
Vineet

0 Karma

vsingla1
Communicator

Suppose there are three roles - Role1,Role2,Role3. The link that you provided explains that all roles can be restricted to a specific search peer.
But is it possible to customize and restrict Role1 to Peer1. Role2 to Peer2 and Role3 to Peer1.
I know it can be done for index like Role1 to Index2 and Role2 to Index3 and Role3 to Index1.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

No, the link to the other answer does not mention "roles". You're right. You can assign specific default indexes to roles, you cannot define specific search peers per role.

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

vsingla1
Communicator

As I said earlier, from the manual, it seemed this kind of setting could be accomplished. So I thought of exploring more on it. But it seems the search came to a dead end.

0 Karma

rsennett_splunk
Splunk Employee
Splunk Employee

Can I ask why? That might make your need more clear.
When you say "search" do you mean ad_hoc searches? All searches? Are all the indexes the same on all three?

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!

rsennett_splunk
Splunk Employee
Splunk Employee

This might be helpful to you in the meantime: http://answers.splunk.com/answers/215164/how-do-i-restrict-searches-to-specific-search-peer.html#ans...

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.